get "Kerberos 5 refuses you" in screensaver

Question

Level 1

0 points

get "Kerberos 5 refuses you" in screensaver

Hi,

Since upgrading to Lion I sometimes cannot login anymore from the screensaver. Today I logged in via ssh (this still works) and saw that when I press a key to make the login box appear the following appears in /var/log/secure.log:

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Got user: pevaneyn

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Got ruser: pevaneyn

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Got service: screensaver

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in od_principal_for_user(): No authentication authority returned

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in od_principal_for_user(): failed: 7

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Done cleanup3

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_authenticate(): Kerberos 5 refuses you

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in od_record_check_pwpolicy(): retval: 0

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in od_record_attribute_create_cfstring(): returned 2 attributes for dsAttrTypeStandard:AuthenticationAuthority

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Establishing credentials

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Got user: pevaneyn

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Context initialised

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Got euid, egid: 501 20

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Done getpwnam()

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Done setegid() & seteuid()

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): pam_sm_setcred: krb5 user pevaneyn doesn't have a principal

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Done cleanup3

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Done seteuid() & setegid()

Sep 9 13:26:07 pevaneyn-mac loginwindow[65]: in pam_sm_setcred(): Done cleanup4

Sep 9 13:53:35 pevaneyn-mac sshd[4952]: Accepted keyboard-interactive/pam for pevaneyn from 10.48.66.17 port 49506 ssh2

You can see me logging in at the end. No login window appears, the screen remains blank.

I recovered by reloading 😟.

I guess that the LKDC is messed up. What can I do to fix it?

MacBook Pro, Mac OS X (10.7.1)

Posted on Sep 9, 2011 6:34 AM

Reply

Answer 1

Redarm

Level 4

2,593 points

Nov 2, 2011 7:06 AM in response to pvaneynd

Maybe I can throw my lot in with you. I'm having a problem with Kerberos refusing me too and any progress would interest me. But it finally lets me pass, i.e. after filling in the password and hitting enter, I get a blue screen for half a second, then it carries on to log me in.

Nov 2 13:48:56 Users-MacBookPro loginwindow[81]: Login Window Started Security Agent

Nov 2 13:48:56 Users-MacBookPro SecurityAgent[164]: Echo enabled

Nov 2 13:49:02 Users-MacBookPro SecurityAgent[164]: User info context values set for user

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got user: user

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got ruser: (null)

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got service: authorization

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in od_principal_for_user(): No authentication authority returned

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in od_principal_for_user(): failed: 7

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Done cleanup3

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Kerberos 5 refuses you

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.

Nov 2 13:49:02 Users-MacBookPro authorizationhost[192]: Failed to authenticate user <user> (error: 9).

Nov 2 13:49:06 Users-MacBookPro SecurityAgent[164]: User info context values set for user

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got user: user

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got ruser: (null)

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Got service: authorization

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in od_principal_for_user(): No authentication authority returned

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in od_principal_for_user(): failed: 7

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Done cleanup3

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): Kerberos 5 refuses you

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Nov 2 13:49:06 Users-MacBookPro authorizationhost[192]: in pam_sm_acct_mgmt(): OpenDirectory - Membership cache TTL set to 1800.

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in od_record_check_pwpolicy(): retval: 0

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in od_record_attribute_create_cfstring(): returned 2 attributes for dsAttrTypeStandard:AuthenticationAuthority

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Establishing credentials

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Got user: user

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Context initialised

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Got euid, egid: 0 0

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Done getpwnam()

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Done setegid() & seteuid()

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): pam_sm_setcred: krb5 user user doesn't have a principal

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Done cleanup3

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Done seteuid() & setegid()

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): Done cleanup4

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): pam_sm_setcred: ntlm

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in ac_complete(): ac_complete returned: 0 for 501

Nov 2 13:49:07 Users-MacBookPro authorizationhost[192]: in pam_sm_setcred(): pam_sm_setcred: ntlm done

Nov 2 13:49:08 Users-MacBookPro SecurityAgent[164]: Login Window login proceeding

Nov 2 13:49:09 Users-MacBookPro com.apple.SecurityServer[33]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' [81] for authorization created by '/System/Library/CoreServices/loginwindow.app' [81]

Nov 2 13:49:09 Users-MacBookPro loginwindow[81]: Login Window - Returned from Security Agent

Nov 2 13:49:09 Users-MacBookPro com.apple.SecurityServer[33]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' [81] for authorization created by '/System/Library/CoreServices/loginwindow.app' [81]

Reply

Answer 2

pvaneynd Author

Level 1

0 points

Nov 4, 2011 2:12 AM in response to Redarm

In the end my problems were solved by:

sudo rm -fr /var/db/krb5kdc /etc/krb5.keytab /Library/Keychains/System.keychain

sudo /usr/libexec/configureLocalKDC

followed by reloading.

This is a bit severe and I lost all system login/passwords, but I could recover and I have not seen the problem anymore....

Reply

Answer 3

Redarm

Level 4

2,593 points

Nov 4, 2011 2:58 AM in response to pvaneynd

Thanks for posting, pvaneynd.

I've already tried deleting the System.keychain, but not krb5kdc and the krb5.keytab.

What do you mean by "this is a bit severe"? Deleting the System.keychain alone loses all the passwords - did anything else happen?

PS. How did you arrive at that solution? Did you Google it, or did it grow on your own dung?

Reply

Answer 4

pvaneynd Author

Level 1

0 points

Nov 4, 2011 3:45 AM in response to Redarm

By "a bit severe" I meant that I did not expect to lose all the passwords for my encrypted volumes, wifi networks and VPN's.

Especially the VPN's was a little tricky to recover.

I found outdated instructions for 10.5 and just searched for the new locations.

Good luck!

Reply

Answer 5

Redarm

Level 4

2,593 points

Nov 4, 2011 4:11 AM in response to Redarm

Never mind. Seems it has nothing to do with my problem. I'm guessing mine is due to the invalid authentication token in Open Directory. Found some references in the install.log.

Edit: but thanks for the "configureLocalKDC". I needed that after deleting the System.keychain.

Reply